Grasping Bag Tool tcpdump Introduction/Application Case/Summary tutorial

Source: Internet
Author: User
Tags ack arithmetic operators eol log log logical operators iptables port number sqlplus

First, the introduction of Linux under the Grab Kit tool tcpdump


1. Tcpdump Introduction


Tcpdump can intercept the "head" of packets transmitted in the network and provide analysis. It supports filtering for network layers, protocols, hosts, networks, or ports, and provides logical statements such as and, or, not to help you get rid of useless information. Tcpdump is a kind of free network analysis tool, especially it provides the source code, exposes the interface, therefore has the very strong scalability, for network maintenance and intruders are very useful tools. Tcpdump exist in the basic FreeBSD system, because it needs to set the network interface to promiscuous mode, ordinary users can not perform normally, but the user with root permission to execute it directly to obtain information on the network. Therefore, the existence of network analysis tools in the system is not primarily a threat to native security, but to the security of other computers on the network.


We define tcpdump in as simple a way as possible: Dump the Traffice on anetwork. The packet analysis tool that intercepts packets on the network according to the user's definition. As the classic system administrator essential tool on the Internet, tcpdump is one of the necessary things for every senior system administrator to analyze the network and troubleshoot problems with its powerful function and flexible interception strategy. Tcpdump provides source code, exposes interfaces, and is highly scalable, and is a useful tool for network maintenance and intruders. Tcpdump exist in the basic FreeBSD system, because it needs to set the network interface to promiscuous mode, ordinary users can not perform normally, but the user with root permission to execute it directly to obtain information on the network. Therefore, the existence of network analysis tools in the system is not primarily a threat to native security, but to the security of other computers on the network.


2. Use of tcpdump


Under normal circumstances, direct start tcpdump will monitor all packets flowing through the first network interface.

# tcpdump


Tcpdump:listening on Fxp0


11:58:47.873028 202.102.245.40.netbios-ns > 202.102.245.127.NETBIOS-NS:UDP 50


11:58:47.974331 0:10:7b:8:3a:56 > 1:80:c2:0:0:0 802.1D ui/c len=43


0000 0000 0080 0000 1007 cf08 0900 0000


0e80 0000 902b 4695 0980 8701 0014 0002


000f 0000 902b 4695 0008 00


11:58:48.373134 0:0:e8:5b:6d:85 > Broadcast SAP E0 ui/c len=97


FFFF 0060 0004 ffff ffff ffff FFFF FFFF


0452 ffff ffff 0000 e85b 6d85 4008 0002


0640 4d41 5354 4552 5f57 4542 0000 0000


0000 00

Tcpdump supports quite a number of different parameters, such as using the-I parameter to specify the network interface for tcpdump listening, which is useful when the computer has more than one network interface, specifying the number of packets to listen on by using the-c parameter, specifying the packets to be stored in the file with the-w parameter, etc.





However, the more complex tcpdump parameters are used for filtering purposes, because the network traffic is very large, if you do not distinguish all the packets are trapped, the amount of data is too large, it is not easy to find the required packets. The filtering rules defined by these parameters can be used to intercept specific packets in order to narrow the target to better analyze the problems in the network. Tcpdump uses parameters to specify the type, address, port, etc. of the packet to be monitored, and according to the specific network problems, the full use of these filtering rules can achieve the goal of rapid location failure. Use the man tcpdump to see the specific usage of these filtering rules.





Obviously for the sake of safety, the network analysis software should not be run on a computer that does not use network management, in order to block them, the Bpfilter pseudo device in the kernel can be shielded. In general, network hardware and TCP/IP stacks do not support receiving or sending packets that are not related to this computer, and in order to receive these packets, you must use the promiscuous mode of the network adapter and bypass the standard TCP/IP stack. Under FreeBSD, this requires the kernel to support pseudo device Bpfilter. Therefore, in the kernel to remove bpfilter support, you can screen tcpdump and other network analysis tools.





And when the NIC is set to promiscuous mode, the system leaves a record in the console and log file to remind the Administrator whether the system is used as a springboard for attacking other computers on the same network.





May 16:27:20 host1/kernel:fxp0:promiscuous mode enabled





Although the network analysis tool can record the data transmitted in the network, but the data traffic in the network is quite large, how to analyze the data, classify the statistics, discover and report the errors is a more critical problem. Packets in a network belong to different protocols, and different protocol packets have different formats. Thus decoding the captured data and displaying the information in the package as much as possible is more important to the Protocol analysis tool. The advantage of expensive Business analytics tools is that they support many kinds of application layer protocols, not just low-level protocols such as TCP and UDP.





From the above tcpdump output can be seen, tcpdump to intercept the data has not been thoroughly decoded, most of the content in the packet is in the form of hexadecimal direct printout. Obviously this is not conducive to the analysis of network failures, the usual solution is to use the tcpdump with the-w parameter to intercept the data and save to the file, and then use other programs for decoding analysis. Of course, filter rules should also be defined to avoid the capture of packets filling the entire hard disk. FreeBSD provides a valid decoder for tcpshow, which can be installed through Packages collection.





# pkg_add/cdrom/packages/security/tcpshow*


# tcpdump-c 3-w tcpdump.out


Tcpdump:listening on Fxp0


# Tcpshow < Tcpdump.out


---------------------------------------------------------------------------


Packet 1


time:12:00:59.984829


link:00:10:7b:08:3a:56-> 01:80:c2:00:00:00 type=0026


<*** No decode support for encapsulated protocol ***>


---------------------------------------------------------------------------


Packet 2


time:12:01:01.074513 (1.089684)


LINK:00:A0:C9:AB:3C:DF-> FF:FF:FF:FF:FF:FF Type=arp


Arp:htype=ethernet Ptype=ip hlen=6 plen=4 op=request


SENDER-MAC-ADDR=00:A0:C9:AB:3C:DF sender-ip-address=202.102.245.3


target-mac-addr=00:00:00:00:00:00 target-ip-address=202.102.245.3


---------------------------------------------------------------------------


Packet 3


time:12:01:01.985023 (0.910510)


link:00:10:7b:08:3a:56-> 01:80:c2:00:00:00 type=0026


<*** No decode support for encapsulated protocol ***>





Tcpshow can decode packets in different ways and display decoded data in different ways, and users can select the most appropriate parameters according to their manuals to analyze the intercepted packets. As can be seen from the example above, Tcpshow supports protocols that are not rich and cannot be decoded for protocols that it does not support.





In addition to Tcpdump, the FreeBSD packagescollecion provides ethereal and sniffit two network analysis tools, as well as other security tools based on network analysis. The ethereal, which runs under X window, has a nice graphical interface, sniffit using character windows and is also easy to operate. However, because tcpdump is more capable of supporting filtering rules, system administrators still prefer to use it. For experienced network administrators, the use of these network analysis tools can not only be used to understand how the network is running, where the fault occurs, but also for effective statistical work, such as the amount of traffic generated by that protocol is the main position, the host is the busiest, where the network bottlenecks and so on. Therefore, network analysis tool is a valuable system tool for network management. In order to prevent the data from being abused by the network analysis tool interception, the key is to solve the network physical structure. The common approach is to separate the trust network from the untrusted network using a switch or network bridge to prevent the external network segment from eavesdropping on the internal data transmission, but still can not solve the internal network and the external network communication between the security problems. If you do not have sufficient funds to upgrade a shared hub on your network to an Ethernet switch, you can use the FreeBSD system to perform the Network Bridge task. This requires you to redefine the kernel using the option Bridge compilation options, and then use the Bridges command to start the bridging function.





Tcpdump takes the command line, and its command format is:


tcpdump [-ADEFLNNOPQSTVX] [-C Quantity] [-f filename]


[-I Network interface] [-R FileName] [-S Snaplen]


[-T type] [-W filename] [Expression]





(1). Introduction to Tcpdump Options





-A converts the network address and broadcast address into a name;


-D gives the code of the matching packet in an assembly format that people can understand;


-DD the code of the matching packet in the format of the C language program;


-DDD the code of the matching packet is given in decimal form;


-e Prints the header information of the data link layer on the output line;


-F prints out the external Internet address in digital form;


-L changes the standard output to a buffer row form;


-N does not convert the network address into a name;


-T print timestamp on each line of output;


-V output A slightly detailed information, such as the TTL and service type information in an IP packet;


-VV output detailed message information;


-C The tcpdump will stop after receiving the specified number of packages;


-F reads the expression from the specified file, ignoring the other expressions;


-i specifies the network interface for listening;


-R reads packages from the specified file (these packages are typically generated by the-w option);


-W directly writes the package to the file and does not parse and print it;


-T interprets packets that are heard directly as a specified type of message, typically with RPC (remote Procedure Call) and SNMP (Simple Network Management Protocol;)





(2). Introduction to Tcpdump expressions





An expression is a regular expression that is used by tcpdump as a condition for filtering packets, and if a message satisfies the condition of the expression, the message is captured. If no conditions are given, all packets on the network will be intercepted. In an expression, there are several types of keywords in general.





The first is about the type of keywords, mainly including host,net,port, such as host 210.27.48.2, indicating that 210.27.48.2 is a host, net 202.0.0.0 indicates that 202.0.0.0 is a network address, port 23 indicates that the port number is 23. If no type is specified, the default type is host.





The second is to determine the direction of the transfer of keywords, mainly including SRC, DST, DST or SRC, DST and src, these keywords indicate the direction of the transfer. For example, SRC 210.27.48.2, indicating that the source address in the IP packet is 210.27.48.2, DST net202.0.0.0 indicates the destination network address is 202.0.0.0. If the direction key is not indicated, the SRC or DST keyword is the default.





The third is the key word of the protocol, mainly including FDDI,IP,ARP,RARP,TCP,UDP type. FDDI indicates a specific network protocol on FDDI (Distributed Optical Data Interface Network), in effect it is the alias of "Ether", FDDI and Ether have similar source address and destination address, so the FDDI protocol package can be treated and analyzed as ether package. Several other keywords refer to the protocol content of the packet being monitored. If no protocol is specified, tcpdump will listen for packets of all protocols.





In addition to these three types of keywords, other important keywords are as follows: Gateway,broadcast,less,greater, there are three kinds of logical operations, the negation is ' not '! ', with the operation is ' and ', ' && ', or the operation is ' or ', ' ││ '; These keywords can be combined to form a powerful combination of conditions to meet people's needs, here are a few examples to illustrate.





A wants to intercept all packets received and sent by all 210.27.48.1 hosts:





#tcpdump Host 210.27.48.1





b want to intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, using the command: (be sure to add ' \ ' when using parentheses in the command line)





#tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)





c If you want to get host 210.27.48.1 IP packets that communicate with all hosts except the host 210.27.48.2, use the command:





#tcpdump IP host 210.27.48.1 and! 210.27.48.2





D If you want to obtain a Telnet package received or issued by the host 210.27.48.1, use the following command:





#tcpdump TCP Port Host 210.27.48.1





E monitors UDP 123 ports on this computer 123 for NTP service ports





# tcpdump UDP port 123





The F system will only monitor traffic packets for hosts named hostname. The host name can be either a local host or any computer on the network. The following command can read all the data sent by the host hostname:





#tcpdump-i eth0 SRC host hostname





G The following command can monitor all packets sent to the host hostname:





#tcpdump-I eth0 DST host hostname





H we can also monitor packets through a specified gateway:





#tcpdump-I eth0 Gateway Gatewayname





If you also want to monitor TCP or UDP packets that address the specified port, execute the following command:





#tcpdump-I eth0 host hostname and port 80





J if you want to obtain a host 210.27.48.1 IP packets that communicate with all hosts except the host 210.27.48.2, use the command:





#tcpdump IP host 210.27.48.1 and! 210.27.48.2





K wants to intercept the communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3, using commands:





#tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)





L If you want to get the host 210.27.48.1 IP packets that communicate with all hosts except the host 210.27.48.2, use the command:





#tcpdump IP host 210.27.48.1 and! 210.27.48.2





M if you want to obtain a telnet package that the host 210.27.48.1 receives or emits, use the following command:





#tcpdump TCP Port Host 210.27.48.1





(3). Tcpdump output of the paper





Here we introduce the output information of several typical tcpdump commands





A, Data link layer header information


Using commands: #tcpdump--E host Ice


Ice is a mainframe with Linux, and her MAC address is 0:90:27:58:af:1a.


H219 is a sun workstation with Solaric, and its MAC address is 8:0:20:79:5b:46; the output from the previous command looks like this:


21:50:12.847509 eth0 < 8:0:20:79:5b:46 0:90:27:58:af:1a IP 60:h219.33357 > Ice.telne


T 0:0 (0) Ack 22535 win 8760 (DF)





Analysis: 21:50:12 is the display of the time, 847509 is the ID number, eth0 < representation from the network interface eth0 accept the packet,eth0> means to send packets from the network interface device, 8:0:20:79:5B:46 is the host H219 MAC address, It indicates a packet sent from the source address H219.0:90:27:58:AF:1A is the MAC address of the host ice, indicating that the destination of the packet is ice. IP is to indicate that the packet is an IP packet, 60 is the length of the packet, h219.33357 > ice.telnet indicates that the packet is sent from the host H219 33357 port to the host ice Telnet (23) port. Ack 22535 indicates a response to a packet with a serial number of 222535. Win 8760 indicates that the size of the Send window is 8760.





tcpdump output information for B,ARP packages





Using commands: #tcpdump ARP





The resulting output is:


22:32:42.802509 eth0 > arp who-has route tell Ice (0:90:27:58:AF:1A)


22:32:42.802902 Eth0 < ARP reply route is-at 0:90:27:12:10:66 (0:90:27:58:AF:1A)


Analysis: 22:32:42 is the timestamp, 802509 is the ID number, eth0 > indicates that the packet from the host, ARP indicates that the ARP Request packet, Who-has route tell Ice is the host Ice request host Route MAC address. 0:90:27:58:AF:1A is the MAC address of the host ice.





Output information for C,TCP packages





The general output information for TCP packets captured with Tcpdump is:





src > Dst:flags data-seqno ack window urgent options


Src> DST: Indicates that from the source address to the destination address, flags is the flag information in the TCP packet, S is the SYN flag, F (FIN), P (PUSH), R (RST) "." (without marking); The data-seqno is the ordinal number of the data in the packet, the ACK is the next expected Sequence number, window is the size of the Windows receiving the cache, and urgent indicates whether there is an emergency pointer in the packet. Options is an option.





Output information for D,UDP packages





The general output information for UDP packets captured with Tcpdump is:





Route.port1 > Ice.port2:udp lenth


UDP is very simple, the output line above indicates a UDP packet sent from the PORT1 port of the host route to the PORT2 port of the host ice, the type is UDP, and the length of the packet is Lenth





3. Auxiliary Tools





(1) Want to see TCP or UDP port usage, use NETSTAT-ANP


If some processes are invisible, such as only "-", you can try


sudo netstat-anp


If you want to see information about a port, use the lsof command, such as:


sudo lsof-i: 631





-bash-3.00# netstat-tln





The NETSTAT-TLN command is used to view the port usage of Linux





/etc/init.d/vsftp start is used to start the FTP port ~!





Look at the file/etc/services





Netstat





View the service ports that are already connected (established)





Netstat-a





View all service ports (listen,established)





sudo netstat-ap





View all service ports and display the corresponding service program name





Nmap Scan type >< scan parameters





For example:





Nmap localhost





Nmap-p 1024-65535 localhost





Nmap-pt 192.168.1.127-245





When we look at a network connection using NETSTAT-APN, we find a lot of things like the following:





Proto recv-q Send-q Local address Foreign address State Pid/program Name





TCP 0 218.104.81.152:7710 211.100.39.250:29488 established 6111/1





Shows that this server is open to Port 7710, so which program does this port belong to? We can use the Lsof-i: 7710 command to query:





COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME





SSHD 1990 Root 3u IPv4 4836 TCP *:7710 (LISTEN)





In this way, we know that 7710 ports belong to the SSHD program.





(2) error message exclusion for running tcpdump command





Tcpdump:no suitable device found


Tcpdump:no devices found/dev/bpf4:a file or directory in the path name does not exist.


2 Reasons for the solution:


1. Insufficient authority, generally not processed, only use root user tcpdump


2. The default can only be used at the same time 4 tcpdump, if used up, then reported such errors. Need to stop the extra tcpdump.


Second, under the Linux grasping the package tool tcpdump application case


Tcpdump can not only handle daily network-related problems, but also can be used to analyze database problems for database tuning





Case 1: The client (192.168.15.14) is suddenly unable to access the SQL Server database (192.168.15.14)





The 1,windows end uses the Wireshark capture message, through the message display, the SQL Server has received the ACK request, and has confirmed the related request (ack=1), but the client does not have to confirm the request





10:51:21.102439 IP (Tos 0x10, TTL, id 45670, offset 0, flags [DF], length:44) yytlc.50162 &gt; 192.168.15.14.ms-sql-s: S [TCP sum ok]616881461:616881461 (0) win 65535 &lt;mss 1460&gt;





10:51:23.750271 IP (Tos 0x10, TTL, id 45768, offset 0, flags [DF], length:44) yytlc.50162 &gt; 192.168.15.14.ms-sql-s: S [TCP sum ok]616881461:616881461 (0) win 65535 &lt;mss 1460&gt;





10:51:29.943904 IP (Tos 0x10, TTL, id 45971, offset 0, flags [none], length:44) yytlc.50162 &gt; 192.168.15.14.ms-sql- s:s [TCP sum ok]616881461:616881461 (0) win 65535 &lt;mss 1460&gt;





10:51:42.045897 IP (Tos 0x10, TTL, id 46849, offset 0, flags [none], length:44) yytlc.50162 &gt; 192.168.15.14.ms-sql- s:s [TCP sum ok]616881461:616881461 (0) win 65535 &lt;mss 1460&gt;











14309 23.459236000 192.168.1.219 192.168.15.14 TCP 50162 &gt; ms-sql-s [SYN] seq=0 win=65535len=0 mss=1460





14310 23.459330000 192.168.15.14 192.168.1.219 TCP ms-sql-s &gt; 50162 [SYN, ACK] seq=0 ack=1win=8192 mss=1460








2, why the package did not receive, use the trace command to see





c:\users\administrator&gt;tracert192.168.1.219











Tracks to 192.168.1.219 route through up to 30 hops











1 1 ms 1 ms 1 ms 192.168.15.30





2 &lt;1 millisecond &lt;1 millisecond &lt;1 millisecond 192.168.15.36





3 1 ms 1 ms 1 ms 192.168.208.106





4 1 ms 1 ms 1 ms 192.168.215.137





5 1 ms 1 ms 1 ms 192.168.212.245





6 1 ms &lt;1 millisecond &lt;1 Ms 192.168.212.246





7 1 ms 1 ms 1 ms 192.168.212.241





8 1 ms 1 ms 1 ms 192.168.248.241





9 1 ms 1 ms 1 ms 192.168.249.98





2ms 5 ms 1 ms 192.168.1.219





Trace Complete.





3,linux Trace found impassability, and the database received the requested packet, but also sent the packet back, but the client did not receive a return packet, indicating that the back of the packet lost on the road. The basic judgment is routing problem.





Yytlc:/#&gt;traceroute 192.168.15.14





Trying to get source for 192.168.15.14





Source should be 192.168.1.219





Traceroute to 192.168.15.14 (192.168.15.14) from 192.168.1.219 (192.168.1.219), hops max





Outgoing MTU = 1500





1 192.168.1.217 (192.168.1.217) 4ms 2 ms 6 ms


2 192.168.47.220 (192.168.47.220) 0ms 1 ms 6 ms


3 192.168.253.41 (192.168.253.41) 8ms 8 ms 8 ms


4 * * *


5 * * *


6 * * *





........





Trace routing When the result of the grab packet is





12:08:49.834285 IP yytlc.61860 &gt;192.168.15.14.33456:udp 1472





12:08:55.834091 IP yytlc.61860 &gt;192.168.15.14.33457:udp 1472





12:09:00.835624 IP yytlc.61860 &gt;192.168.15.14.33458:udp 1472





At this point, the results of the Windows End Wireshark Grab packet show that a UDP request has been received





11539 47.422984000 192.168.1.219 192.168.15.14 UDP 1514 Source port:61860 destination port:33457


4, only network expert assistance, Junper router routing problems, resulting in the packet can not be delivered correctly.





Case 2:sqlplus Client cannot connect to Oracle database problem, connection times wrong ORA-12537





Symptom: Connection Error





[Oracle@localhost ~]$ Sqlplus u/p@smpdb





Sql*plus:release 11.2.0.2.0 Production on Monday November 25 14:32:452013





Copyright (c) 1982, Oracle. All rights reserved.





ERROR:





Ora-12537:tns: Connection closed





Client Grab Bag: received the back packet, but the connection was closed





[Root@localhost ~]# tcpdump-i eth0 host 192.168.3.220





Tcpdump:verbose output suppressed, USE-VOR-VV for full protocol decode





Listening on eth0, Link-type EN10MB (Ethernet), capture size bytes





16:48:07.048525 IP 192.168.1.45.38405 &gt;192.168.3.220.ncube-lm:s 2870102332:2870102332 (0) win 5840 &lt;mss1460, Sackok,timestamp 443389148 0,nop,wscale 7&gt;





16:48:07.048872 IP 192.168.3.220.ncube-lm&gt; 192.168.1.45.38405:s 2343325666:2343325666 (0) Ack 2870102333 win 65535 &lt;mss 1460,nop,wscale 3,sackok,timestamp 32985 443389148&gt;





16:48:07.048882 IP 192.168.1.45.38405 &gt;192.168.3.220.ncube-lm:. Ack 1 win &lt;nop,nop,timestamp 44338914932985&gt;





16:48:07.049044 IP 192.168.1.45.38405 &gt;192.168.3.220.ncube-lm:p 1:225 (224) Ack 1 win-&LT;NOP,NOP, timestamp443389149 32985&gt;





16:48:07.049145 IP 192.168.3.220.ncube-lm&gt; 192.168.1.45.38405:. ACK win 8298 &lt;nop,nop,timestamp 32986443389149&gt;





16:49:07.370802 IP 192.168.3.220.ncube-lm&gt; 192.168.1.45.38405:f 1:1 (0) ACK win 8298 &lt;nop,nop,timestamp 9298744 3389149&gt;





16:49:07.370888 IP 192.168.1.45.38405 &gt;192.168.3.220.ncube-lm:. Ack 2 win &lt;nop,nop,timestamp 44344947192987&gt;





16:49:07.371014 IP 192.168.1.45.38405 &gt;192.168.3.220.ncube-lm:f 225:225 (0) Ack 2 win-&LT;NOP,NOP, timestamp443449471 92987&gt;





16:49:07.371121 IP 192.168.3.220.ncube-lm&gt; 192.168.1.45.38405:. Ack 8297 win &lt;nop,nop,timestamp 92987443449471&gt;





Database server grab packet, only received packet request, but no response packets (note that the client side received a return package is contradictory, and still do not understand the specific reason)





16:53:57.176963 IP 192.168.1.45.38405 &gt;dsapp2.ncube-lm:flags [S], seq 1170139240, Win 65535, options [MSS1380,NOP,WSC Ale 3,sackok,ts val 32986 ECR 0], length 0





16:54:00.185469 IP 192.168.1.45.38405 &gt;dsapp2.ncube-lm:flags [S], seq 1170139240, Win 65535, options [MSS1380,NOP,WSC Ale 3,sackok,ts val 35986 ECR 0], length 0





16:54:03.396744 IP 192.168.1.45.38405 &gt;dsapp2.ncube-lm:flags [S], seq 1170139240, Win 65535, options [MSS1380,NOP,WSC Ale 3,sackok,ts val 39186 ECR 0], length 0





16:54:06.618718 IP 192.168.1.45.38405 &gt;dsapp2.ncube-lm:flags [S], seq 1170139240, Win 65535, options [Mss1380,sackok, EOL], length 0





16:54:09.846067 IP 192.168.1.45.38405 &gt;dsapp2.ncube-lm:flags [S], seq 1170139240, Win 65535, options [Mss1380,sackok, EOL], length 0





16:54:13.073922 IP 192.168.1.45.38405 &gt;dsapp2.ncube-lm:flags [S], seq 1170139240, Win 65535, options [Mss1380,sackok, EOL], length 0





16:54:19.326237 IP 192.168.1.45.38405 &gt;dsapp2.ncube-lm:flags [S], seq 936514366, Win 65535, options [mss1380,sackok,e OL], length 0





16:54:31.603109 IP 192.168.1.45.38405 &gt;dsapp2.ncube-lm:flags [S], seq 936514366, Win 65535, options [mss1380,sackok,e OL], length 0





16:54:55.892606 IP 192.168.1.45.38405 &gt;dsapp2.ncube-lm:flags [S], seq 802356553, Win 65535, options [mss1380,sackok,e OL], length 0





Preliminary positioning





Now that the server has received the database package, 1521 ports, the firewall has been opened. The problem is on the database server side. No connection requests from the client were found in the Listener.log log of the server.





Final positioning:





The database server on the Iptables firewall policy, resulting in the client is not connected to the database, on the iptables to open the relevant firewall policy, access that is normal





Case 3: The FTP port does not pass after using Linux iptables





Phenomenon: FTP can connect normally, but can not transfer data





When the FTP does not pass, the data transmission uses the Ftp-data port





Root@stylog1 ~]# tcpdump-i bond0 host 192.168.9.37


Tcpdump:verbose output suppressed, use-v OR-VV for full protocol decode


Listening on bond0, Link-type EN10MB (Ethernet), capture size 65535 bytes


10:48:10.171437 IP 192.168.9.37.55460 &gt; 192.168.5.5.ftp:flags [P.], seq 2473112340:2473112365, Ack 2946208393, win 806 4, Length 25


10:48:10.171486 IP 192.168.5.5.ftp &gt; 192.168.9.37.55460:flags [.], ACK, win, length 0





10:51:38.397111 IP 192.168.5.5.ftp-data &gt; 192.168.9.37.55516:flags [S], seq 2207620674, Win 14600, options [MSS 1460,s Ackok,ts Val 1965825832 ECR 0,nop,wscale 7], length 0


10:51:54.397107 IP 192.168.5.5.&lt;span style= "color: #FF6666;" &gt;ftp-data&lt;/span&gt; &gt; 192.168.9.37.55516:flags [S], seq 2207620674, Win 14600, options [MSS 1460,sackok,ts Val 1 965841832 ECR 0,nop,wscale 7], length 0





Ftp-data uses 20 ports, this port is not open firewall policy





[Root@stylog1 ~]# cat/etc/services |grep ftp-data


Ftp-data 20/tcp


Ftp-data 20/UDP


Ftp-data 20/SCTP # FTP


Kftp-data 6620/tcp # Kerberos V5 FTP data


Kftp-data 6620/udp # Kerberos V5 FTP data








Case 4: The problem of slow business access after the middleware server migrates to the cloud platform (20140331 update)





Problem Description: After the server migrated to the cloud platform, business testing business is obviously slow, 1.2 seconds before migration, 2.7 seconds to migrate to the cloud platform





As a test environment, Tcpdump was used to carry out the packet analysis, but a total of 600 SQL statements were executed when handling a transaction





TCPDUMP-A-I eth0-nn Port 15701 and DST host 10.4.1.1|grep-i Select


Tcpdump:verbose output suppressed, use-v OR-VV for full protocol decode


Listening on eth0, Link-type EN10MB (Ethernet), capture size 65535 bytes


.... @select companyimp0_.compa0_.virtualHost as virtualh5_@6_0_, companyimp0_.mx as mx6_0_,,,,,,,, Companyimp0_.logoid as logoid6_=0_ from company Companyimp0_ where companyimp0_.companyid=:1 ............................ T ... '


... @select groupimpl0_.grou10_0_, Groupimpl0_.name a@s name10_0_, Groupimpl0_.description, and so on ....... descript9_10_0_, Groupim@pl0_.type_ as type10_10_0_, groupimpl0_.typesettings as typeset1@1_10_0_, groupimpl0_. Friendlyurl as friendl12_10_0_, groupimpl0_@.active_ as active13_10_0_ from Group_ groupimpl0_ where groupim.pl0_. Groupid=:1 ............ ......... T........


...


&lt;span style= "color: #FF0000;" &gt;--Total 580 + SQL statements &lt;/span&gt;





Since the system in the same network segment, a single SQL query needs 1ms, and after the migration of a firewall, need 3ms, but because there are 600 of SQL, so each business increase time 1.8s. That's why it's slow.





Note: Because it is a test environment, the method of grasping SQL can also use the trace provided by Oracle, sometimes tcpdump is also a convenient and quick way to operate on the client.





The result is almost identical with Oracle SQL Trace: 583 user SQL statements in session.





Overall totals for all recursive statements





Call count CPU Elapsed disk query current rows


------- ------  -------- ---------- ---------- ---------- ----------  ----------


Parse 19 0.00 0.00 0 0 0 0


Execute 90 0.00 0.02 0 0 0 0


Fetch 116 0.01 0.06 21 338 0 127


------- ------  -------- ---------- ---------- ---------- ----------  ----------


Total 225 0.01 0.09 21 338 0 127





Misses in library cache during parse:11


Misses in library cache during execute:11





&lt;span style= "color: #FF0000;" &gt;&lt;span style= "Background-color:rgb (255, 255, 255);" &gt; 583 User SQL statements in session.&lt;/span&gt;&lt;/span&gt;


Internal SQL statements in session.


673 SQL Statements in session.



Summary of Tcpdump use methods


Type qualifiers are: Host, port, and net. The host is used to specify the hosts or destination addresses, port specifies the ports, and net can be used to specify a subnet. Such as:





Tcpdump ' Port 80 ' listens to 80 ports





Tcpdump ' net 192.168.1 ' listener subnet 192.168.1.0





Tcpdump ' Net 192.168.1.0/24 '





2. Logical Operators





Logical operators have and,or and not. () Multiple expressions can be grouped together.





Tcpdump ' Port and (host 192.168.1.10 or host 192.168.1.11) '





Listens for host 192.168.1.10 or 192.168.1.11 port 80.





3. Transmission Direction Qualifier





Keyword src Specify the source address, DST specifies the destination address





Tcpdump ' Port and (src 192.168.1.10 or src 192.168.1.11) '





Tcpdump ' DST port 25 '





4. Agreement qualifying Words





The packets used to capture a specific protocol are: ether (Ethernet), TCP,UDP,ICMP,IP,IP6 (IPV6), Arp,rarp (reverse ARP), and so on.





5. Primitive language





Primitives are mainly: arithmetic operators (+,-, *,/,&gt;,&lt;,&gt;=,&lt;=,!=, etc.), broadcast, Gateway, greater, less.





Broadcast captures broadcast packets, greater and less equivalent to &gt;= and &lt;=.





Small example:





Local 20000 port communication data capture package





Tcpdump-s 0-i Lo Port 20000-w/tmp/20000.pcap





10.8.2.181:7001 port communication Data grabbing bag





Tcpdump-i eth0-s 0 Host 10.8.2.181 and Port 7001-w/tmp/syrk.pcap

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.